Merhaba,

Bu döküman serisini yazmamın en önemli sebebi birden fazla güvenlik ürününe sahip olmamıza rağmen neleri izleyeceğiz, hangi Log'lar önemli, hangileri kritik kıyaslamasını yapamıyor olmamız veya eksik olmasıdır. Buradaki açığı kapatmak amacıyla en azından Windows platformları için neler yapabilirizi düşünürken bu seriyi yazmak aklıma geldi. Keyifle okumanız dileğiyle…

Dikkat

Konular içerisinde tüm audit GPO'larına yer verilmeyeceği için içerikte eksiklikler olacaktır. İlgili döküman rehber niteliğindedir, fakat bütünü kapsamamaktadır.

 

İçindekiler

Yazar Hakkında .....................................................................................................................1

Giriş.....................................................................................................................................4

Denetim(Audit) ve Loglama Neden Önemli ................................................................................4

Account Logon.......................................................................................................................5

Audit Credential Validation .....................................................................................................5

Audit Kerberos Authentication Service ......................................................................................5

Audit Kerberos Service Ticket Operations...................................................................................5

Account Management..............................................................................................................7

Audit Computer Account Management........................................................................................7

Audit User Account Management................................................................................................9

Audit Security Group Management .............................................................................................10

Detailed Tracking......................................................................................................................12

Audit Process Creation ..............................................................................................................12

Audit Token Right Adjust.............................................................................................................13

DC Access.................................................................................................................................14

Audit Directory Service Access & Service Changes ..........................................................................14

Logon /Logoff ............................................................................................................................15

Audit Logon ...............................................................................................................................15

Audit Logoff.................................................................................................................................16

Audit Group Membership ...............................................................................................................17

Audit Account Lockout ...................................................................................................................18

Object Access ...............................................................................................................................19

Audit File System...........................................................................................................................19

Audit File Share..............................................................................................................................21

Audit Registry ................................................................................................................................25

Audit Filtering Platform Connection Properties......................................................................................27

Policy Change .................................................................................................................................28

Audit Policy Change..........................................................................................................................28

Audit Authentication Policy Change.....................................................................................................29

Audit MPSSVC Rule-Level Policy Change...............................................................................................31

Privilege Use....................................................................................................................................32

Audit Non Sensitive Privilege Use .......................................................................................................32

Audit Sensitive Privilege Use ..............................................................................................................33

Active Directory için Tavsiye Edilen Loglama Ayarları..............................................................................36

Tavsiye Edilen Minimum Denetim Kuralı ...............................................................................................36

Tavsiye Edilen NTLM Audit Events .......................................................................................................37

Azure Security Center ile Logların Anlamlandırılması .............................................................................37

Azure Security Center – Events...........................................................................................................41

Sysmon ..........................................................................................................................................43

Logların Kibana ile Anlamlandırılması ..................................................................................................45

Winlogbeat.......................................................................................................................................45

Event Log’ ların Kabusu Phant0m.........................................................................................................49

Powershell’ i Nasıl Loglarım ?...............................................................................................................52

Script Block Logging...........................................................................................................................53

Module Logging ................................................................................................................................54

Logging Powershell Activity.................................................................................................................56

 

Hasan DİMDİK

Cloud and Datacenter MVP